SlideShare une entreprise Scribd logo

Protect Your Passwords, Secure Your Servers

Télécharger en tant que PPT, PDF
Steven Davis
Steven Davis

There have been too many sites compromising personal data. There is no excuse. It is not hard to stop most, if not all hackers. All you have to do is care about your customers. This module describes how you can easily and effectively stop many hack attacks and protect your customer data on your servers. For more information, tools, and resources, visit http://free2secure.com/. If you are interested in keeping up with the latest books, articles, and tools from me at Free2Secure send me an email steve @ free2secure.com with the subject “Subscribe”. If you have any security questions, issues, or shoot me a note to steve @ free2secure.com with the subject “Help”.

LogicielsTechnologie
1  sur  12
Security eBooks Protecting Passwords & Securing Servers Steven Davis steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
Security eBooks Standard Server Architecture • 3-Tier / N-Tier • Lots of Apps and Services on a box • Split up for performance, if at all • … a “mini-cloud” • Why? Servers Expensive… in the old days steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
Security eBooks Bootstrap Attack! • Attackers use weakness in one part of a system to attack another – Privilege Escalation … dangerous if more privileges can get you somewhere – SQL Injection … only dangerous if there is something valuable in the same database or accessible via the same account steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
Security eBooks The Server Architecture Problem • Lots of tools and lots of developers – Many of them not on your team – Very few security focused • Too many things to go wrong! steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
Security eBooks Solution – More Servers (or Virtual Servers) • Break up online service infrastructure to multiple servers by function • Reduce number that are internet facing • Reduce and simplify security interfaces • Add proxies to isolate data and applications steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
Security eBooks One Data Store per Server App Divide for Security Game Engine Player Assets Player Account Community Player Access Info • Separate Database & Access Account • Separate Data Store BETTER • Separate Virtual Server w/own Database App • Separate Actual Server Add “Connector” Datastores (Login Status, Player Stats, etc.) rather than links to critical databases steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
Security eBooks Combine with Proxy Security Some online games dangerously include a SQL client and talk directly to the game server Rules Validation Data Validation Validation Message Incoming Message Database • Protecting Database from SQL injection / direct queries • Allows Rules Validation on Server or reallocation to other players steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
Security eBooks Make Password Service a “Dumb Appliance” Secure User Name / Account Name Password Session Server Account Name / Password Identifier Server Password Identifier / Password Seed Login Server Password Identifier / Password Transform • Separate out Password verification from Login Service/Server • Have Password Service work at a slow pace • Use VERY SLOW Cryptography – Select algorithms or combinations of algorithms to take a specific amount of time… traditional cryptography is designed to run fast to support communications…. This is not the problem we face with passwords! • Consider Split Architectures steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
Security eBooks Protect Email and Online Service Identity Info… by Login Service taking them (Encrypted) Active offline Info Updates Service • Users don’t need regular Back Office access to their entire identity profile… so take Personal Info what is not needed regularly offline Email • Only have temporary store for user info while it is being entered or Payment Info changed steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
Security eBooks Six Forms of Personal ID • Separate them and use them all – Login Name Using emails for user names or – Internal Account Number user names for handles just – Handle (Community name) makes attacking easier – Email – Personal Contact Information – Payment Information steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
Security eBooks What next? • Don’t give up! • More security presentations at: http://free2secure.com/ • Check out my book “Protecting Games” – Additional information at http://playnoevil.com/ • You can “win” the security game steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
Security eBooks About Me • Steven Davis – 25+ Years of Security Expertise – I have worked on everything from online games and satellite TV to Nuclear Command and Control and military communications • http://www.linkedin.com/in/playnoevil – Author, “Protecting Games” • Why Free2Secure? – Security is too expensive and isn’t working. There has to be a better way. I’m exploring these issues for IT security, ebooks, games, and whatever else strikes my fancy at http://free2secure.com/ – Join me there, ask questions, challenge assumptions, let’s make things better steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416

Recommandé

Microsoft Best Practices - AWS India Summit 2012
Microsoft Best Practices - AWS India Summit 2012Microsoft Best Practices - AWS India Summit 2012
Microsoft Best Practices - AWS India Summit 2012Amazon Web Services
 
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...Morgan Simonsen
 
Pricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldPricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldMichele Leroux Bustamante
 
I GOvirtual En Brochure
I GOvirtual En BrochureI GOvirtual En Brochure
I GOvirtual En Brochureguybelliveau
 
Getting Started with Containers
Getting Started with ContainersGetting Started with Containers
Getting Started with ContainersVivek Raja P S
 
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-OnAWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-OnAmazon Web Services
 
The VDI InfoSec Conundrum
The VDI InfoSec ConundrumThe VDI InfoSec Conundrum
The VDI InfoSec ConundrumVirtualTal
 
17h30 aws enterprise_app_jvaria
17h30 aws enterprise_app_jvaria17h30 aws enterprise_app_jvaria
17h30 aws enterprise_app_jvariaLuiz Gustavo Santos
 

Recommandé

Microsoft Best Practices - AWS India Summit 2012
Microsoft Best Practices - AWS India Summit 2012Microsoft Best Practices - AWS India Summit 2012
Microsoft Best Practices - AWS India Summit 2012Amazon Web Services
 
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...Morgan Simonsen
 
Pricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldPricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldMichele Leroux Bustamante
 
I GOvirtual En Brochure
I GOvirtual En BrochureI GOvirtual En Brochure
I GOvirtual En Brochureguybelliveau
 
Getting Started with Containers
Getting Started with ContainersGetting Started with Containers
Getting Started with ContainersVivek Raja P S
 
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-OnAWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-OnAmazon Web Services
 
The VDI InfoSec Conundrum
The VDI InfoSec ConundrumThe VDI InfoSec Conundrum
The VDI InfoSec ConundrumVirtualTal
 
17h30 aws enterprise_app_jvaria
17h30 aws enterprise_app_jvaria17h30 aws enterprise_app_jvaria
17h30 aws enterprise_app_jvariaLuiz Gustavo Santos
 
Protect Your Client Software and Identification Security
Protect Your Client Software and Identification SecurityProtect Your Client Software and Identification Security
Protect Your Client Software and Identification SecuritySteven Davis
 
Fight Game Cheating the Easy Way
Fight Game Cheating the Easy WayFight Game Cheating the Easy Way
Fight Game Cheating the Easy WaySteven Davis
 
Fighting online game cheating with cryptography
Fighting online game cheating with cryptographyFighting online game cheating with cryptography
Fighting online game cheating with cryptographySteven Davis
 
Game Design Principles and Inspiration
Game Design Principles and InspirationGame Design Principles and Inspiration
Game Design Principles and InspirationJohn Say
 
Protect Data in Your Software Client - Data Obfuscation
Protect Data in Your Software Client - Data ObfuscationProtect Data in Your Software Client - Data Obfuscation
Protect Data in Your Software Client - Data ObfuscationSteven Davis
 
Online Security - The Good, the Bad, and the Crooks
Online Security - The Good, the Bad, and the CrooksOnline Security - The Good, the Bad, and the Crooks
Online Security - The Good, the Bad, and the CrooksSteven Davis
 
Data Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities
 
Data Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information Presentationguestf018d88
 
Electronic security
Electronic securityElectronic security
Electronic securityWe Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
Electronic Security
Electronic SecurityElectronic Security
Electronic SecurityWe Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
How to secure your emails for sensitive docs
How to secure your emails for sensitive docsHow to secure your emails for sensitive docs
How to secure your emails for sensitive docsDavid Strom
 
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...Morgan Simonsen
 
CCNA Security - Chapter 3
CCNA Security - Chapter 3CCNA Security - Chapter 3
CCNA Security - Chapter 3Irsandi Hasan
 
Deploy, Scale and Manage your Microsoft Investments with AWS
Deploy, Scale and Manage your Microsoft Investments with AWSDeploy, Scale and Manage your Microsoft Investments with AWS
Deploy, Scale and Manage your Microsoft Investments with AWSAmazon Web Services
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeThuan Ng
 
RSA Secur id for windows
RSA Secur id for windowsRSA Secur id for windows
RSA Secur id for windowsarpit06055
 
Owasp & Asp.Net
Owasp & Asp.NetOwasp & Asp.Net
Owasp & Asp.NetÖnsel Akın
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...Liam Cleary [MVP]
 
E commerce security
E commerce securityE commerce security
E commerce securityRoha1234567
 
OISC2013_Presentation
OISC2013_PresentationOISC2013_Presentation
OISC2013_PresentationAustin Nagel
 
Overall cryptography and pki introduction
Overall cryptography and pki introductionOverall cryptography and pki introduction
Overall cryptography and pki introductionAvirot Mitamura
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISECisco Canada
 

Contenu connexe

En vedette

Protect Your Client Software and Identification Security
Protect Your Client Software and Identification SecurityProtect Your Client Software and Identification Security
Protect Your Client Software and Identification SecuritySteven Davis
 
Fight Game Cheating the Easy Way
Fight Game Cheating the Easy WayFight Game Cheating the Easy Way
Fight Game Cheating the Easy WaySteven Davis
 
Fighting online game cheating with cryptography
Fighting online game cheating with cryptographyFighting online game cheating with cryptography
Fighting online game cheating with cryptographySteven Davis
 
Game Design Principles and Inspiration
Game Design Principles and InspirationGame Design Principles and Inspiration
Game Design Principles and InspirationJohn Say
 
Protect Data in Your Software Client - Data Obfuscation
Protect Data in Your Software Client - Data ObfuscationProtect Data in Your Software Client - Data Obfuscation
Protect Data in Your Software Client - Data ObfuscationSteven Davis
 
Online Security - The Good, the Bad, and the Crooks
Online Security - The Good, the Bad, and the CrooksOnline Security - The Good, the Bad, and the Crooks
Online Security - The Good, the Bad, and the CrooksSteven Davis
 

En vedette (6)

Protect Your Client Software and Identification Security
Protect Your Client Software and Identification SecurityProtect Your Client Software and Identification Security
Protect Your Client Software and Identification Security
 
Fight Game Cheating the Easy Way
Fight Game Cheating the Easy WayFight Game Cheating the Easy Way
Fight Game Cheating the Easy Way
 
Fighting online game cheating with cryptography
Fighting online game cheating with cryptographyFighting online game cheating with cryptography
Fighting online game cheating with cryptography
 
Game Design Principles and Inspiration
Game Design Principles and InspirationGame Design Principles and Inspiration
Game Design Principles and Inspiration
 
Protect Data in Your Software Client - Data Obfuscation
Protect Data in Your Software Client - Data ObfuscationProtect Data in Your Software Client - Data Obfuscation
Protect Data in Your Software Client - Data Obfuscation
 
Online Security - The Good, the Bad, and the Crooks
Online Security - The Good, the Bad, and the CrooksOnline Security - The Good, the Bad, and the Crooks
Online Security - The Good, the Bad, and the Crooks
 

Similaire à Protect Your Passwords, Secure Your Servers

Data Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities
 
Data Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information Presentationguestf018d88
 
How to secure your emails for sensitive docs
How to secure your emails for sensitive docsHow to secure your emails for sensitive docs
How to secure your emails for sensitive docsDavid Strom
 
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...Morgan Simonsen
 
CCNA Security - Chapter 3
CCNA Security - Chapter 3CCNA Security - Chapter 3
CCNA Security - Chapter 3Irsandi Hasan
 
Deploy, Scale and Manage your Microsoft Investments with AWS
Deploy, Scale and Manage your Microsoft Investments with AWSDeploy, Scale and Manage your Microsoft Investments with AWS
Deploy, Scale and Manage your Microsoft Investments with AWSAmazon Web Services
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeThuan Ng
 
RSA Secur id for windows
RSA Secur id for windowsRSA Secur id for windows
RSA Secur id for windowsarpit06055
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...Liam Cleary [MVP]
 
E commerce security
E commerce securityE commerce security
E commerce securityRoha1234567
 
OISC2013_Presentation
OISC2013_PresentationOISC2013_Presentation
OISC2013_PresentationAustin Nagel
 
Overall cryptography and pki introduction
Overall cryptography and pki introductionOverall cryptography and pki introduction
Overall cryptography and pki introductionAvirot Mitamura
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISECisco Canada
 
SharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationSharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationLiam Cleary [MVP]
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Amazon Web Services
 
Making sense of Microsoft Cloud Licenses Security Features
Making sense of Microsoft Cloud Licenses Security Features Making sense of Microsoft Cloud Licenses Security Features
Making sense of Microsoft Cloud Licenses Security Features TechSoup
 

Similaire à Protect Your Passwords, Secure Your Servers (20)

Data Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information Presentation
 
Data Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information Presentation
 
Electronic security
Electronic securityElectronic security
Electronic security
 
Electronic Security
Electronic SecurityElectronic Security
Electronic Security
 
How to secure your emails for sensitive docs
How to secure your emails for sensitive docsHow to secure your emails for sensitive docs
How to secure your emails for sensitive docs
 
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
 
CCNA Security - Chapter 3
CCNA Security - Chapter 3CCNA Security - Chapter 3
CCNA Security - Chapter 3
 
Deploy, Scale and Manage your Microsoft Investments with AWS
Deploy, Scale and Manage your Microsoft Investments with AWSDeploy, Scale and Manage your Microsoft Investments with AWS
Deploy, Scale and Manage your Microsoft Investments with AWS
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 
RSA Secur id for windows
RSA Secur id for windowsRSA Secur id for windows
RSA Secur id for windows
 
Owasp & Asp.Net
Owasp & Asp.NetOwasp & Asp.Net
Owasp & Asp.Net
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
 
E commerce security
E commerce securityE commerce security
E commerce security
 
OISC2013_Presentation
OISC2013_PresentationOISC2013_Presentation
OISC2013_Presentation
 
Overall cryptography and pki introduction
Overall cryptography and pki introductionOverall cryptography and pki introduction
Overall cryptography and pki introduction
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISE
 
SharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationSharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorization
 
Office 365 Identity Management options
Office 365 Identity Management options Office 365 Identity Management options
Office 365 Identity Management options
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012
 
Making sense of Microsoft Cloud Licenses Security Features
Making sense of Microsoft Cloud Licenses Security Features Making sense of Microsoft Cloud Licenses Security Features
Making sense of Microsoft Cloud Licenses Security Features
 

Dernier

Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 

Dernier (20)

Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Odoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting ServiceOdoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting Service
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 

Protect Your Passwords, Secure Your Servers

  • 1. Security eBooks Protecting Passwords & Securing Servers Steven Davis steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
  • 2. Security eBooks Standard Server Architecture • 3-Tier / N-Tier • Lots of Apps and Services on a box • Split up for performance, if at all • … a “mini-cloud” • Why? Servers Expensive… in the old days steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
  • 3. Security eBooks Bootstrap Attack! • Attackers use weakness in one part of a system to attack another – Privilege Escalation … dangerous if more privileges can get you somewhere – SQL Injection … only dangerous if there is something valuable in the same database or accessible via the same account steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
  • 4. Security eBooks The Server Architecture Problem • Lots of tools and lots of developers – Many of them not on your team – Very few security focused • Too many things to go wrong! steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
  • 5. Security eBooks Solution – More Servers (or Virtual Servers) • Break up online service infrastructure to multiple servers by function • Reduce number that are internet facing • Reduce and simplify security interfaces • Add proxies to isolate data and applications steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
  • 6. Security eBooks One Data Store per Server App Divide for Security Game Engine Player Assets Player Account Community Player Access Info • Separate Database & Access Account • Separate Data Store BETTER • Separate Virtual Server w/own Database App • Separate Actual Server Add “Connector” Datastores (Login Status, Player Stats, etc.) rather than links to critical databases steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
  • 7. Security eBooks Combine with Proxy Security Some online games dangerously include a SQL client and talk directly to the game server Rules Validation Data Validation Validation Message Incoming Message Database • Protecting Database from SQL injection / direct queries • Allows Rules Validation on Server or reallocation to other players steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
  • 8. Security eBooks Make Password Service a “Dumb Appliance” Secure User Name / Account Name Password Session Server Account Name / Password Identifier Server Password Identifier / Password Seed Login Server Password Identifier / Password Transform • Separate out Password verification from Login Service/Server • Have Password Service work at a slow pace • Use VERY SLOW Cryptography – Select algorithms or combinations of algorithms to take a specific amount of time… traditional cryptography is designed to run fast to support communications…. This is not the problem we face with passwords! • Consider Split Architectures steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
  • 9. Security eBooks Protect Email and Online Service Identity Info… by Login Service taking them (Encrypted) Active offline Info Updates Service • Users don’t need regular Back Office access to their entire identity profile… so take Personal Info what is not needed regularly offline Email • Only have temporary store for user info while it is being entered or Payment Info changed steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
  • 10. Security eBooks Six Forms of Personal ID • Separate them and use them all – Login Name Using emails for user names or – Internal Account Number user names for handles just – Handle (Community name) makes attacking easier – Email – Personal Contact Information – Payment Information steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
  • 11. Security eBooks What next? • Don’t give up! • More security presentations at: http://free2secure.com/ • Check out my book “Protecting Games” – Additional information at http://playnoevil.com/ • You can “win” the security game steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
  • 12. Security eBooks About Me • Steven Davis – 25+ Years of Security Expertise – I have worked on everything from online games and satellite TV to Nuclear Command and Control and military communications • http://www.linkedin.com/in/playnoevil – Author, “Protecting Games” • Why Free2Secure? – Security is too expensive and isn’t working. There has to be a better way. I’m exploring these issues for IT security, ebooks, games, and whatever else strikes my fancy at http://free2secure.com/ – Join me there, ask questions, challenge assumptions, let’s make things better steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416

Notes de l'éditeur

  1. http://docs.oracle.com/cd/A97335_02/busint.102/a90287/vwarch1.gif